Skip to main content

Documentation Index

Fetch the complete documentation index at: https://whitepaper.neurobro.ai/llms.txt

Use this file to discover all available pages before exploring further.

Legal TODO

Tracking legal elements/pages that need to be added, updated, or completed. Items marked ⚠ COUNSEL require a legal/business decision before publishing. Items checked [x] were applied to terms-of-use.mdx (v0.7) / privacy-policy.mdx (v0.8); latest pass 2026-05-22. Analytics: PostHog replaced with self-hosted, open-source Matomo (in-house); Google Analytics and Sentry retained.

Affiliate / Exchange Disclosure

  • Affiliate Disclosure pagelegal/affiliate-disclosure.mdx finalized (May 22, 2026): removed the draft TODO, discloses commission + geo-gating in FTC-clear wording, cross-links to ToS/PP, contact set to info@. Per owner request the page is kept generic — it does NOT name the exchanges or state live scope; those specifics live in ToS §5.3. Counsel sign-off still recommended.
  • Exchange naming — handled in ToS §5.3 and PP §6 (affiliate page intentionally defers to them).
  • Affiliate page per-exchange policy links — optionally add direct links to each exchange’s terms/privacy/AML on the affiliate page (currently cross-linked via ToS §3.5 / PP §6).
  • Name all six exchanges — Binance, OKX, Bybit, KuCoin, Indodax, Tokocrypto disclosed individually in ToS §3 and PP §6 (each a separate legal entity / independent data controller).
  • Affiliate links live only for Bybit & KuCoin — business/counsel to confirm scope before launch (no longer stated on the affiliate page). Binance/OKX/Indodax/Tokocrypto links currently disabled.
  • ⚠ COUNSEL — placeholder benefit figures — do NOT publish placeholder promo figures (e.g. “-20% fees”, “$10,000 rewards”); replace with contractually accurate terms or risk advertising-law exposure.
  • Update Terms of Use affiliate section — ToS §5.3 (formerly §4.3) updated: names the six exchanges, discloses commission, adds geo-gating; uses “affiliate” terminology throughout.
  • Embed exchange legal links — referenced in ToS §3.5 (exchange Terms) and PP §6 (exchange Privacy Policies). Links verified working on 2026-05-19; re-check before publishing. Note: only Terms (ToS) and Privacy (PP) are embedded; AML/compliance links are not embedded in the user-facing docs (most exchanges have no standalone AML URL — see notes below).
ExchangeDocumentURL
BinanceTerms of Usehttps://www.binance.com/en/terms
BinancePrivacy Portalhttps://www.binance.com/en/about-legal/privacy-portal
BinanceCompliance / AML (Binance.US)https://www.binance.us/compliance
OKXTerms of Servicehttps://www.okx.com/help/terms-of-service
OKXPrivacy Noticehttps://www.okx.com/help/privacy-policy-statement
OKXRisk & Compliance Disclosure (AML)https://www.okx.com/help/risk-compliance-disclosure
BybitTerms of Servicehttps://www.bybit.com/en/legal/terms-of-service
BybitPrivacy Policyhttps://www.bybit.com/en/legal/policies-and-rules/privacy-policy
BybitUser Protection & Compliance (AML)https://www.bybit.com/en/promo/global/user-protection
KuCoinTerms of Usehttps://www.kucoin.com/legal/terms-of-use
KuCoinPrivacy Policyhttps://www.kucoin.com/legal/privacy-policy
IndodaxTerms and Conditionshttps://help.indodax.com/hc/en-us/articles/4416650994585-Terms-and-Conditions
IndodaxPrivacy Noticehttps://help.indodax.com/hc/en-us/articles/19751527469721-Privacy-Notice
TokocryptoUser Agreement (Terms of Service)https://support.tokocrypto.com/hc/en-us/articles/360004044971-Tokocrypto-User-Agreement
TokocryptoPrivacy Policyhttps://support.tokocrypto.com/hc/en-us/articles/21694168727565-Privacy-Policy
TokocryptoAML/CFT Policyhttps://support.tokocrypto.com/hc/en-us/articles/4812240530317-AML-CFT-Policy-in-Tokocrypto
Notes on gaps (no standalone, verifiable AML-policy URL exists):
  • Binance — no global standalone AML page; AML is inside the Terms. The dedicated compliance page exists only on the US entity. The global Privacy Notice is jurisdiction-specific, so the Privacy Portal is the canonical entry point.
  • Bybit — no standalone canonical AML document; the User Protection & Compliance page is the closest official page. AML obligations are also embedded in the Terms.
  • KuCoin — no standalone public AML/CTF URL; AML/CTF content is incorporated into the Terms of Use and Privacy Policy.
  • Indodax — no standalone AML page; AML/CFT is covered within the Terms and Privacy Notice. Help-center pages are bot-protected (HTTP 403 to automated browsers) but confirmed published.
  • Tokocrypto — all three documents (incl. a dedicated AML/CFT policy) confirmed via the help-center API.

Privacy Policy updates

  • Disclose exchange/portfolio financial data collected — PP §2 now covers credentials, balances/holdings, full trade/order/transfer/ledger history, open positions & PnL, net-worth history, public wallet addresses and on-chain transaction IDs, with a sensitivity warning.
  • Sub-processor list — PP §6 “Third Parties and Sub-Processors” lists the 6 exchanges, AWS, Alchemy, CoinGecko, the LLM providers, and the existing analytics/payment processors.
  • AI provider transparency — PP §7 names the LLM providers (OpenAI, Anthropic, Google, Groq, xAI, DeepSeek), discloses that portfolio data is sent as context, and notes routing varies by tier/backend.
  • ⚠ COUNSEL — DeepSeek routing — decided (disclosed in PP §7) & applied; counsel still to confirm acceptability of China-based routing of financial data for EU/UK users.
  • ⚠ COUNSEL — full-history ingestion — lawful basis stated as Contract in PP §2 & applied; counsel to confirm (GDPR Art. 6).
  • ⚠ COUNSEL — retention period — event-based retention adopted & applied in PP §4 (retained until disconnect/account deletion); counsel to confirm against GDPR Art. 5(1)(e) storage limitation.
  • Document deletion mechanics — PP §5 “Erase” extended: disconnect hard-deletes that exchange’s data; account deletion cascades to all portfolio data. Cross-references legal/account-deletion.mdx.
  • Net-worth snapshot retention — disclosed in PP §2 and §4 (retained for the life of the account, deleted on account deletion).
  • International data transfer disclosure — PP §8 “Third-Party Processing” updated for the new sub-processors and the EU/US/Singapore/China jurisdictions.
  • Per-exchange data-coverage differences — noted in PP §2 (some connected exchanges provide spot-only data).

Terms of Service / Terms of Use updates

  • Read-only API key / non-custodial disclaimer — ToS §3 “Read-Only Exchange Connections” added: read-only keys only, no order-execution/trading/withdrawal capability.
  • No financial advice for AI portfolio commentary — ToS §4.4 added covering AI-generated commentary on the user’s connected portfolio.
  • NFA / DYOR disclaimer — extended in ToS §4 (informational only, not advice, DYOR, consult professionals).
  • Jurisdiction / eligibility clause — ToS §5.3 documents affiliate-link geo-gating (sanctions: Iran/North Korea/Cuba/Syria; UK FCA regime; per-exchange blocks) and clarifies it affects affiliate-link display only.

Critical review findings (2026-05-22) — counsel / engineering required

From the four-agent legal review of PR #77. These are NOT pure wording fixes — each needs a legal or engineering decision before launch.
  • ⚠ COUNSEL — EU & UK Art. 27 representatives (MISSING) — a US-only controller serving/monitoring EU/UK users must appoint, and disclose, both an EU and a UK representative. Neither is named. Standalone GDPR breach.
  • ⚠ COUNSEL — DeepSeek/China transfer mechanism — bare “SCCs where applicable” is likely indefensible for China (no adequacy; Schrems II TIA; live DPA bans on DeepSeek in Italy/Germany). Exclude DeepSeek for EU/UK users or hold a documented TIA. (Strengthens the existing DeepSeek item.)
  • ⚠ COUNSEL — UK FCA core-service exposure — ToS §5.3 states geo-gating does not restrict the core Services, but promoting $BRO + AI Alpha to UK consumers may itself be a regulated financial promotion (criminal exposure) regardless of affiliate links. Decide: geo-block core promotional/AI Alpha/token surface for the UK, or obtain a lawful route. ToS currently understates this.
  • ⚠ COUNSEL — consumer arbitration clause — ToS §13 mandatory Delaware arbitration is likely unenforceable against EU/UK consumers (UCTD/Brussels Ia) and omits a US class-action waiver. Add a class-action waiver + EU/UK/Canada consumer carve-out.
  • ⚠ COUNSEL — CCPA/CPRA California section — add notice-at-collection, California consumer rights, and the SPI right-to-limit (exchange API credentials = Sensitive Personal Information under CPRA). Currently only one line.
  • ⚠ COUNSEL — Art. 22 profiling/ADM disclosure — disclose the existence, logic, and significance of AI profiling of user portfolios (AI Alpha, portfolio commentary).
  • ⚠ COUNSEL — lawful-basis reconciliation — ToS §9.2 grants a “perpetual license … for training” while PP §7 says LLM data is used “solely to generate the response you requested.” Reconcile, and give training/improvement its own basis (consent or LI + balancing test).
  • ⚠ COUNSEL — ePrivacy cookie/analytics consent — GA/Matomo/Sentry client SDKs require prior opt-in consent in EU/UK; PP labels analytics “legitimate interest” in places. Confirm the cookie banner is prior, granular, opt-in and align the stated basis.
  • ⚠ COUNSEL — MSB/custody framing — ToS §2 states “not a money-services business / not a custodian” as fact. Soften to a position and obtain a FinCEN + state-MTL + $BRO buy-back-mechanic memo.
  • ⚠ COUNSEL — AML/sanctions reconciliation — ToS §1.2 and §5.3 carry two different sanctions lists; reference the live OFAC program rather than enumerating, and align the “we screen users” claim with the identity data actually collected (social/email login + read-only key, no KYC).
  • ⚠ COUNSEL — Indonesia PDP Law cross-border transfer — transfers of Indonesian users’ financial data to the US/China need a PDP-compliant mechanism (in addition to the PSE/ITSK reviews below).
  • ⚠ COUNSEL — DPIA — perform and document a Data Protection Impact Assessment (large-scale sensitive financial data + portfolio monitoring + China transfer trigger Art. 35).
  • In-product affiliate disclosure (FTC) — FTC 16 CFR Part 255 requires a clear-and-conspicuous disclosure adjacent to each affiliate link in-product, not only on the policy page.
  • Per-exchange data-coverage table — current disclosure is a light inline note; consider a per-exchange breakdown of what data each exchange exposes.

Data Security Statement (new document — not yet started)

  • Create a Data Security Statement — new legal page describing the security model.
  • Encryption model — exchange credentials protected with AWS KMS envelope encryption (AES-256-GCM), a unique per-record data-encryption key, encrypted blob stored as binary in PostgreSQL; production-isolated CMK (alias/neurobro-exchange-credentials-prod); supports in-place credential rotation with key-version audit trail.
  • Read-only access model — no execution capability (supports_execute = False hardcoded; sandbox/paper-trading disabled).
  • Transport & scoping — HTTPS/TLS in transit; all data user-scoped; cascading deletion.
  • Describe memory handling honestly — credentials held in memory only for the duration of a single connect/sync operation; do not overstate (Python cannot guarantee explicit memory zeroization).
  • Self-hosted observability — note that the memory sync service uses no third-party error-tracking SDK; observability there is self-hosted (Loki). (Product analytics is also self-hosted via Matomo.)

Regulatory / jurisdiction reviews

  • Indonesia PSE / foreign ESO registration — review whether registration as a foreign Electronic System Operator (PSE) is required.
  • OJK ITSK framework — review applicability of the OJK ITSK framework (covers technology innovation affecting products, activities, services, or business models in the digital financial ecosystem).
  • ⚠ COUNSEL — confirm country blocklists — code blocklists are “starter data from 2026-05-18 legal research” and must be counsel-confirmed before launch; specifically flagged: Indonesia, the UK FCA regime, and Bybit-in-Malaysia.
  • ⚠ COUNSEL — core-service jurisdiction restriction — decide whether the core portfolio/exchange-connect service (not just affiliate links) needs country-based access control.

Product documentation

  • API key creation guidelines — add per-exchange API key creation guidelines, broken down by supported region, covering required permissions (read-only) and regional availability.
  • Scrub Sentry SQL parameters — SQLAlchemy integration may capture SQL query parameters (user IDs, financial values) despite send_default_pii=False; add explicit scrubbing before claiming no financial data leaves systems for monitoring.
  • Sanitize exchange error logs — raw exchange error messages (str(exc)) can contain balance amounts or masked API-key fragments; sanitize before launch.
  • Enforce REDIS_PASSWORD in production — the sync queue is unauthenticated if unset.
  • Decide on a retention-purge job — confirm/decide whether old trade/order/ledger/transfer history is purged on a schedule.